 Good afternoon, Cloud Community, and welcome back to Fabulous Chicago. We're here at KubeCon, CloudNativeCon. My name is Savannah Peterson, joined by our fabulous new analyst, Dustin. How are you doing today? Having fun, let's do this. Day two, you feeling smart? Absolutely. All right. Smart, I don't know. I'm just checking if we're listening. Now, at this point, very, very, very excited about our guest, a company that you and I are both fans of, GitLab. I'm sure you've all heard of them. We've got David from GitLab. David, hello, welcome. Thank you for having me. How are you doing? Doing good. Good vibe here going on. Yeah, we were just talking before the cameras turned on about the ascent of momentum. It really does feel like a different energy, not just because the show floor is a bit more packed than, say, Detroit last year. But I feel like a lot of projects and collaborations are starting to reach a point of maturity where we're seeing things accelerate. Yeah. What have been some of your observations? Well, everything seems to be about AI in Detroit. Yeah, it's all about security. It felt like everyone was talking about security. And now everyone's talking about AI. I think the other thing too is I've heard a lot about needing more visibility into what's happening. And I feel like that was one of the original themes of KubeCon was operations and observability, right? And so seeing that kind of creep back up to say, yeah, yeah, I'm doing all the cloud native things now, but where's my stuff? And is it up? Is it working? What's going on with it? And so I've seen that be a nice little thread going through a lot of the stuff I've been hearing. And the focus on AI has to play well into your pants, right? It does, yeah. So GitLab in June released what we call GitLab Duo. It is our AI suite of power, DevSecOps AI powered workflows. And it focuses on everything from helping you in planning all the way through coding, securing and deploying. Because GitLab is in a DevSecOps platform and covers the entire DevSecOps life cycle, and I know you both know that, being fans. No, I love it, no, but I mean, it's always great to give the audience context because you are, and it's a broad spectrum and you're touching a lot of different industries within that. We are, and we feel like to make organizations successfully, you got to apply AI for everyone. And so that's where GitLab Duo is really taken hold is people using it for everything. Were you anticipating this moment of AI adoption and this hype curve coming? Because your announcement sounds like it was pretty well timed. Yeah, so yes and no, I would say on the yes, we started adding AI- I think I'm an honest answer. Yeah, I'll kind of give you the framing for it, right? So like, yes and that, we started adding AI to GitLab in 2021. We asked our customers, what's your biggest pain point? It was getting through code review. And so we applied AI to code review. The thing that I was not as surprised for, and I think just the industry as a whole, if you were to ask everyone 18 months ago what GPT-4, Palm 2, Cloud 2 could do, I'm not sure everyone would jump to the amount of things that AI can now already do. So that's where it's a little caught off guard on that part of it. But no, I've always thought that AI would help in depths like ops. It would help in operations. And so I'm not surprised by those things. It's just the, I mean, I'll put it to you this way. My parents thought BARD when I showed them BARD was like a sentient little like, I don't know, person living inside of a computer responding and not software, right? I showed them BARD before chat GPT. I did. I was actually preparing as my sister's wedding and I was supposed to give a toast and I decided it'd be totally me being a tech person to have AI right the toast. Wow, that's one way to get out of a speech writing situation too. My sister was in tears laughing. She loved it. I think that's great and very clever. I also love that your family humanized a sentient being. Did this person, did BARD have characteristics? Was there like, oh, there's like, where is this person that's doing this? I'm like, it's software. My parents are, are much older, right? So I, but I don't think that their age is actually even super relevant in this case because I feel like a lot of people are wondering what that is. Or is there just- That's true. Yes. We'll be fair to my parents. Yeah. I'll throw your parents a bone. Yeah. They clearly created a lovely son. So we'll give them- Well, thank you. Yeah. So I'm going to bring us back to DevSecOps. Yes. Please do. If anything we're talking about is on stage, I don't know. All right, all right. DevSecOps and AI. Give us like that cross-section, you know, for where you guys are with that journey. Yeah, great. So we did start with code review with AI. Code review, very important part of DevSecOps. But the next year we actually looked at with security. What we did at GitLab, and I joined GitLab in 2019 to add security compliance to DevOps. We realized we shift security left. We made it more developer friendly. But if you ask yourself, and I've asked myself this, like, does a developer wake up in the morning and say, I want to write a vulnerability to the application today? They don't go like, yes, zero day today. I mean, let's hope not. Let's hope not. Well, we'll assume positive intent. So we then said, well, how do you make security even more approachable? And so we started on what we call explain this vulnerability. So what it does is, when a vulnerability is found by our security scanners, they have the option to ask Duo to explain it to them in natural language, give them an example of it being exploited in the programming language they're using, and then how to resolve it in that programming language. And so when you talk about DevSecOps and AI, we see it as empowering everyone who's involved to be more efficient. You hear a lot about AI and DevSecOps and it being around code creation. And that's important. GitLab does that. But if you make your developers a hundred times more effective, that's only one little sliver of the SDLC. Everyone else is going to be impacted. I think developers more effective. Obviously, obviously, obviously core to the GitLab value proposition. I assume you're able to do some measurement. Now that this Duo has explained to developer A, what this vulnerability is, how it was introduced, you're able to educate that developer A. Surely you're able to see that person's contributions going forward and I don't know, measure some new efficiency and new knowledge gained. Yeah, so the one value of GitLab being a platform is that we actually have all the data sitting in GitLab. And so if you're fully adopted to GitLab, we can actually do value stream analytics, so measuring how you're doing it, delivering software. And in that, when you're- Talk about being able to test a hypothesis. Right. You're thinking about this, that's so cool. And so that's how we're able to pull efficiency metrics. And so with that, you can see developer code contribution go up. You can see developer merge rate going up. And then you can be able to say like, hey, I've applied AI here successfully. I was talking to a customer last week who said they're seeing between a 50 and 90% boost in efficiency for their engineering or- That's significant. It is. But that's because it's not just improving the developer experience, it's supporting the security teams, the operations teams around them. It's that holistic support. Exactly. Which is going to make a big difference. And according to your own DevSecOps report, 25% of time is spent developing code and that's it. So when we're thinking about that as an only, as a single stream optimization, you're not looking at the activities or the manpower of the entire organization. Yeah, correct. That's why I was kind of saying that if you accelerate just the developer, that's 25%. And honestly, I feel very strongly that if you did just do that, and let's say you made your developers a hundred times more effective, you're going to break everything else around them, right? CIC pipelines are going to work, there's not going to be enough planning stuff ready for them, infrastructure's going to fall over, right? It's just, there's so many things that you have to boost everyone. Marketer's not going to know what's going on. You know, it's like, it's not even just on the tech team in that circumstance. I think that's interesting. GitLab's been on a journey, you're 12 years old. You IPOed two years ago, I remember it was in October, we were actually at KubeCon in LA, totally different vibe than this, but just absolutely explosive growth since that moment, the momentum. Do you think that the AI, I don't like calling it a revolution, I think we're just in the evolution of it. I'm going to call it the AI evolution. I like it, we'll go with that. Thank you. Your approval is all I need when I'm naming terms. You can now ship it. Yeah, we're shipping, it's straight to prod. So let's just make a lot of jokes in the middle of this. Do you think that your growth is going to also explode with this to support that movement? Yeah, so I mean, GitLab continues to grow at an alarming rate or enormous rate, right? A very good rate. It's so alarming, it's wonderful. It's great, yeah, alarming's not the right word. Inspiring rate. And what I've looked at it from is the, thank you, because it's not alarming, it's great, it's explosive. But the thing that I take from that in AI is a parallel to it, is that people are craving efficient delivery of software. And so GitLab's growth is based off of that. And now if you tag AI with that, it's just going to continue to make that success rate go faster. We said a hypothesis for AI when we were embedding it into GitLab. We said three core tenants of how we're going to play AI. One of those was that we wanted to boost everyone in the organization and cause organizations to be 10 times more effective at delivering secure software. And so with that. Casual order of magnitude, yeah. I think I said big goals for the product team. I love that. I'd be disappointed if I wasn't. So, and we've already seen that with GitLab. Our customers, we did a survey through Forster about 18 months ago of GitLab ultimate customers, people using the full platform. And out of that survey came a 7X efficiency from where they were prior to GitLab. And then they got an ROI in less than six months, right? So if you look at that, now you play AI. I want that to go faster. I want you to see that in three months. I want to see that 10X in that window as well. How are you approaching, so this is awesome scale, everyone's using it, love that. I mean 7X alone just from starting to use GitLab. Talk about a tooling boost, that's awesome. Let's talk about the sexiest topic, compliance. How are you factoring that in? So, as I mentioned, I joined GitLab to add securing compliance in the product. Secure is a passion of mine. And started my career as a researcher, went into engineering, then joined the dark side, went into product. But I realized early on that unless you give people the controls to truly understand how they're using GitLab and how security is impacting them, they can't truly ship secure software. And so about two years ago, we launched a new module, GitLab called govern. So, GitLab's based off the DevSecOps stages, create, verify, plan, so forth. We've had our own in secure and govern. And govern's whole principle was, let's give you compliance controls that can be a herit across all of GitLab. Let's give you the visibility to understand where compliance violations are happening and ability to stream audit events to understand what's happening. And so, if you're using GitLab, you see all of that within GitLab and you can stream it out to your compliance software if there's a place you need to store for compliance reasons. A customer, Chorus AI, shared, they got through their SOC2 audit in less than a day because of GitLab. What? Every time the, yeah, every time the analysts- That's unheard of. Every time the compliance person asked- That's awesome. External contractors like, where is, how can you show them? They go, let's try here in GitLab. And so, if you think about that, you have to marry compliance with security and with DevOps, if you don't, you don't really have the full controls and the visibility you need. Yeah, are you seeing that as being a driving factor of some of the buying decisions? GitLab as a commercial product, as a commercial company, we're all here around open source, but I think I've seen, maybe you can validate our counter examples, but, you know, does that drive business? It actually, it absolutely does. So, when people would come to GitLab when I started, it was all about source code management. And then it kind of churned into, we're coming to GitLab for source code management and CI CD. And a lot of customers day one are now starting with security. And it's not that their security tools they have aren't efficient. You know, those people are also our partners, you can integrate them into GitLab, but it's about that visibility and the controls. And so they can make their existing security tools that they maybe don't want to give up yet, even more powerful for them through GitLab's compliance and governance. But then over time, they begin to adopt the GitLab security scanners because they're truly built to shift security left. Our SaaS scanner as an example, so doing SaaS analysis can finish sometimes scanning before the UI tells you it ran. You just see it says it completed. That's because we can scan that Delta code change. And so it's really efficient to be able to use GitLab for that. So you're saying you see some advantages to starting left as opposed to shifting left. Like if you start with a certain security posture, you end up in a better place much faster. Yeah, imagine like if you're making that decision to change how your developers deliver software, how your security teams operations team work, it's easier to do that at once than it is to do it over multiple, like it's like that death by a thousand paper cuts type of thing, right? Yeah. And so if you're going to say, hey, we're moving to GitLab for source code management and CI CD, and we're going to put security governance in from the beginning, you're going to see that boost in your security, your governance and that visibility. And then you feel better as an organization because you have that view into what you didn't have before. And that confidence as you continue to build on top of that. Yeah, absolutely. I love meeting with our customers. You mentioned we started as open source. We did. We're still source available and we have an open source version you can run a community edition. But what I love about our customers is their partners for us. And a lot of companies say that. I can tell you, I feel that they contribute software into GitLab. Some of our ultimate customers build out new ultimate features for their competitors, their partners. The synergy and the win-win there is a little bit. Some of my favorite features have come from open source and some of them have been security improvements. In 2020, I think it was mid-2020, fall of 2020, HEB, large grocery chain in North America here contributed mobile applications to security scanning to ultimate. And so that's the community that GitLab has become. HEB. HEB. My wife shops at HEB twice. Oh yeah, we lived in Austin, we shopped there all the time. That's great. We're talking about groceries, we're talking about sentient beings. Hey, we can talk about everything. We are really covering the spectrum here and I really like it. Just as a side note, because you meant sentient beings. I encourage everyone to be polite to chatbots. Yes. I've seen Terminator and where Skynet goes. Let's be kind to them today. I agree. I mean, spread kindness in general. Yes. And say the nice things out loud. Y'all, it's been a weird year for the chatbots for everyone. It's been a very, very interesting year. Let's just keep the positive vibes rolling. But I'm sorry you're going. Yeah, no. I actually, I really agree with you though there. I love that you brought that up because I think that it is important that we are kind in our approach to this new technology and not just obviously talking to the chatbot, but also when we're thinking about our bias and when we're training these models. Absolutely. And one of the things that I want to call out because I think GitLab does this very well as a company that was all remote day one. You've got 2,200 employees. You mentioned over 65 different countries. Correct. And I think it's a fairly diverse workforce. Is that a part of your strategy slash a benefit for the way that GitLab's approaching AI to fundamentally have that diversity represented already? It is. So one of the things that take a lot of pride in a GitLab is the culture where exactly we look like from the outside and the inside. And that drives our decisions around things like AI where we're hiring what we're doing. One of those values is assumed positive intent. And when you start doing something around AI, there can be a lot of bias. If you're training a large language model on the internet, clearly it's not necessarily a friendly place, right? And so we've been very purposeful. One of the things we decided to do was say that we would pick the right AI model for the right use case. And what that means is that we're using 16 different models depending on the future. Wow. Because that feature is using a model that we select as purposefully for that. That's allowed us to remove bias in a lot of the responses that GitLab Duo can provide. It's allowed us to reduce confabulation, hallucination depending which term you want to use for it in the AI world. And so an example, explain this vulnerability, that second feature relaunched. It's using an AI model that only understands security vulnerabilities. If you ask it about what's the best banana loaf bread recipe, like it does, it's going to tell you it doesn't know what that is, right? And if you're doing that, you can begin to make the models be a little bit more purposeful but a little bit smaller. And then they're trained on only the exact data. So you don't have this like, you grab a large LLM, it's a hammer, everything becomes a nail. Right. It helps avoid that. And by all means, we hold our partners accountable on making sure they're also helping us with that. I like that. I actually love that you called out those 16 things. It's like you got your box of crayons and depending on the situation, you're picking the right crayon. It makes a really big difference across the board. Wow, this was absolutely fascinating. David, thank you so much for joining us. This was a joy. Yeah, I loved it. And by the way, like I said it right before, earrings are amazing. Thank you. I'm a pretty recorded fall attorney. And I'm joking to meet both of you. Like I said, I was a fan, read some of the stuff, seen interviews, so very much thank you for having me. Hey, our pleasure. We look forward to having you back hopefully in Paris and then again, wherever keep going. There you go. NA is next year. Thanks a lot, Dustin. Thanks so much for your insights, for joining me and for keeping us on topic. This case, let me get a little excited. Indeed, well, you know. Yeah, yeah. I do my part. Except unless we're talking about HEB. We'll see you about it. And thank you all for tuning in live to our coverage here at KipCon, CloudDataCon in Chicago, Illinois. My name is Savannah Peterson and you're watching theCUBE, the leading source for emerging tech news.